Researchers have uncovered a new cyber threat actor named “Unfurling Hemlock” that is utilizing a unique tactic to spread malware across systems in the US, Germany, Russia, and several other countries. This financially motivated East European threat actor has been deploying a form of cyber cluster bomb, dropping up to 10 different malware files simultaneously on victim systems, leaving a trail of compromise and data theft in its wake.

Since February 2023, Unfurling Hemlock has been distributing hundreds of thousands of malware files to over 50,000 users globally, using compressed Microsoft Cabinet (CAB) files nested within other CAB files, sometimes up to seven layers deep. The malware payloads include information stealers like Mystic Stealer, Rise Pro, and Redline, as well as loaders such as SmokeLoader and Amadey. The complexity of this approach has made detection and eradication of the malware challenging for defenders.

According to Outpost24 researchers, the actor has been working with other threat groups to distribute malware and loaders, while also enlisting the help of other groups to deploy their cluster bomb malware. More than half of the infected systems are based in the US, indicating a significant impact on American individuals and organizations.

The campaign was brought to light by Outpost24 after investigating previous attacks where threat actors deployed multiple malware samples simultaneously on compromised systems. The use of Russian language in some malware samples and infrastructure based in Eastern Europe led researchers to believe that the threat group originates from that region.

Unfurling Hemlock’s modus operandi involves distributing cluster bomb malware via email or through loaders belonging to other threat groups. The malware is hidden within nested cabinet files, each level containing a new variant of malware, making it a challenge for security tools to detect and mitigate the threat effectively. In some instances, the actor has included obfuscators and tools to disable endpoint threat detection and response systems on victim machines.

Evan Dornbush, a former NSA cybersecurity expert, pointed out the similarities between Unfurling Hemlock’s tactics and those used by notorious malware like Flame and Gauss, noting the complexity and challenges posed by multi-staged malware with diversified payloads. This approach not only evades detection but also makes the complete eradication of infection difficult, as some second-stage tools may have independent command-and-control systems.

As cyber threats continue to evolve, Outpost24 warns that other threat actors may adopt similar tactics to distribute malware in the future. Defenders are advised to remain vigilant and focus on fundamental security practices to mitigate the risk posed by such cluster bomb attacks. Despite the intricate nature of Unfurling Hemlock’s operations, most of the malware used in these attacks is well-documented and known, providing an opportunity for proactive defense measures.

In conclusion, the emergence of Unfurling Hemlock and its cluster bomb malware distribution highlights the growing sophistication and complexity of cyber threats. With cybercriminals constantly innovating new tactics, organizations and individuals must stay informed and proactive in defending against such malicious actors to safeguard their sensitive data and infrastructure.

Lidhja e burimit